https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22184#M16161 <HTML><HEAD></HEAD><BODY><P>Answers are inline.</P><P></P><P>You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it?&nbsp;&nbsp; <STRONG>Yes</STRONG>.</P><P></P><P>In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none? <STRONG>None.</STRONG></P><P>Do i need any other static routes on PA to route to the 172.16.0.0 networks?&nbsp; <STRONG>Since it is directly conected, you don't need a static route</STRONG>.</P><P></P><P>In this case, we are just replacing a PIX, so they have the inbound static route already.</P><P></P><P>thanks</P></BODY></HTML> Mon, 10 May 2010 22:34:07 GMT nrice 2010-05-10T22:34:07Z https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22181#M16158 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I need to configure a NAT from a Cisco PIX with config below to PAN. I configured NAT on PAN but the NAT doesn't seem to work</P><P>PIX Config:</P><P><SPAN style="font-family: Verdana; ">static (inside,outside) webpublicip 172.16.10.10 netmask 255.255.255.255 0 0 <BR /> static (inside,dmz) 172.16.10.10 172.16.10.10 netmask 255.255.255.255 0 0 </SPAN></P><P></P><P>PAN config</P><P><SPAN style="font-family: Verdana; ">NAT rule: </SPAN>Source Zone-&gt; Outside, Des Zone-&gt;Outside, Source- Any, Destination-&gt; webpublicip and in the translated packet Destination-&gt; 172.16.10.10<BR /> Security rule: Source Zone-&gt; Outside, Des Zone-&gt;Inside,&nbsp; Source- Any, Destination-&gt; webpublicip<BR /> In monitor traffic log, i do a filter on webpublicip but it says no NAT applied and we can't access this web server from Internet.</P><P></P><P>Note that the outside interface on PAN is on a private IP</P><P></P><P>Would appreciate your help on this.</P><P></P><P>thanks</P></BODY></HTML> Sat, 08 May 2010 12:20:26 GMT https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22181#M16158 vinesh 2010-05-08T12:20:26Z https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22182#M16159 <HTML><HEAD></HEAD><BODY><P class="MsoPlainText" style="margin: 0in 0in 0pt;"><SPAN style="color: #000000; font-size: 12pt; font-family: Consolas; ">Since your outside interface on the PAN is a private IP, you can configure a loopback address (and associated VR) using your WebPublicIP and assign it to the "outside" zone. You will want your external router to have a route statement directing traffic bound for WebPublicIP to be sent to the private IP on the outside interface. The NAT and Security policies you configured for the PAN should then work.<SPAN style="mso-spacerun: yes;">&nbsp; </SPAN></SPAN></P></BODY></HTML> Sat, 08 May 2010 23:54:12 GMT https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22182#M16159 nrice 2010-05-08T23:54:12Z https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22183#M16160 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it?</P><P></P><P>In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none?</P><P>Do i need any other static routes on PA to route to the 172.16.0.0 networks?</P><P></P><P>In this case, we are just replacing a PIX, so they have the inbound static route already.</P><P></P><P>thanks</P></BODY></HTML> Sun, 09 May 2010 15:30:59 GMT https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22183#M16160 vinesh 2010-05-09T15:30:59Z https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22184#M16161 <HTML><HEAD></HEAD><BODY><P>Answers are inline.</P><P></P><P>You are suggesting that i create a loopback with an IP same as the WebPublicIP and have the same VR and Untrust zone as the WebPublicIP assigned to it?&nbsp;&nbsp; <STRONG>Yes</STRONG>.</P><P></P><P>In the NAT policies, i also have the option to specify a destination interface, should i select teh loopback or leave it to none? <STRONG>None.</STRONG></P><P>Do i need any other static routes on PA to route to the 172.16.0.0 networks?&nbsp; <STRONG>Since it is directly conected, you don't need a static route</STRONG>.</P><P></P><P>In this case, we are just replacing a PIX, so they have the inbound static route already.</P><P></P><P>thanks</P></BODY></HTML> Mon, 10 May 2010 22:34:07 GMT https://live.paloaltonetworks.com/t5/general-topics/help-needed-on-inbound-nat/m-p/22184#M16161 nrice 2010-05-10T22:34:07Z